Issue with _delete_by_query

Hi,
we've encountered a kind of strange issue and solved it by a workaround, but not sure, if the issue is caused by a bug or the request string.
We've had to delete certain entries from an index, according to the documentation the query has to look like this:

curl -XPOST "http://kibana.company.com:9200/_delete_by_query" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"_index": {
"query": “xxx-6.5.4-error-*"
}
}
},
{
"match": {
"context.service.name": {
"query": “xxx-production"
}
}
},
{
"range": {
"@timestamp": {
"lt": "2019-04-05",
"gte": "2019-04-04",
"format": "yyyy-MM-dd||yyyy-MM-dd||yyyy||yyyy-MM"
}
}
}
]
}
}
}
'
But this call throws an error:
{"error":"Incorrect HTTP method for uri [/_delete_by_query] and method [POST], allowed: [HEAD, PUT, GET, DELETE]","status":405}

But the corresponding search query is fine:
curl -XGET "http://kibana.company.com:9200/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"_index": {
"query": “xxx-6.5.4-error-*"
}
}
},
{
"match": {
"context.service.name": {
"query": “xxx-production"
}
}
},
{
"range": {
"@timestamp": {
"lt": "2019-12-31",
"gte": "2019-01-01",
"format": "yyyy-MM-dd||yyyy-MM-dd||yyyy||yyyy-MM"
}
}
}
]
}
}
}
'
and delivered as expected 2800 entries.

we've only been able to get the delete done, by adding the index into the the URI
curl -XPOST ’http://kibana.company.com:9200/xxx-6.5.4-error-date/_delete_by_query
and to execute it per day.

We are currently running elastic 6.3. But I'm assuming this is not related to the version.

Any idea?

Best regards

Heya @afassl!

_delete_by_query requires the index patterns to be included in the url.
curl -XPOST "http://kibana.company.com:9200/my-index/_delete_by_query" should work.

I just tested this and it worked. I had 73,000 document count which got deleted.

curl -XPOST "http://elkm01:9200/metricbeat_sysstat_2019/_delete_by_query?conflicts=proceed" -H 'Content-Type: application/json' -d'
     {
       "query": {
         "range": {
           "@timestamp": {
             "gte": "01-01-2019",
             "lte": "02-01-2019",
             "format": "MM-dd-yyyy||yyyy-MM-dd||yyyy||yyyy-MM"
           }
         }
       }
     }'
1 Like

Thanks a lot - so - a feature - not a bug.

Last question - possible to use a wildcard in the index? Not sure if this will be parsed, as we've already removed the data - can't test that

But again - thanks a lot

Best regards
Andreas

yes you can use wildcard in query and delete the data

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.